Recently, I was reading the Times on the early train to London, and I came across a multi-page section on Cloud Security – proof positive that cloud services are now firmly on the business agenda. While I understand the attraction of cloud in delivering quick, cost effective and scalable solutions to business problems, it strikes me that it also presents yet another opportunity for the business to cut IT (and particularly IT Security) out of the decision making process.

A few weeks back the BCS Information Systems Security Group held their AGM at IBM Bedfont and a number of IBMers including myself presented during the course of the day. My topic was “Maintaining Security Governance in the Cloud”.

My central theme was that cloud computing offers the prospect of delivering IT capacity that dynamically flexes to meet changing business requirements.However, this flexibility and cost-effectiveness comes at a price.There is a substantial risk that sensitive information will leak out of the business, and the lack of transparency of the provider’s security processes make it essential that the business’s security governance processes are adapted to reflect these new risks.

So, faced with a new set of risks and preparing to trade control over IT systems (and their security) for the benefits of the SPI model of cloud services, never has it been so vital for the business to take good advice from security Subject Matter Experts on the ﻿﻿increased governance processes needed to protect the business data and (more importantly) its reputation. Studies and surveys regularly report that 75% or more of businesses view security as the biggest single inhibitor to moving their IT operations into the Cloud. This suggests that those businesses understand – at least intuitively – that traditional controls are built on physical access to the technology stack and that Cloud deployment models mean that control is passed to the Cloud Provider. Nevertheless, a recent study conducted by Ponemon Institute for Symantec (“Flying Blind in the Cloud. The State of Information Governance“) suggests that businesses are prepared to enter into contracts with Cloud Service Providers, without engaging their IT security team to advise them:

65% select a CSP based on market reputation (word of mouth) while only 18% utilise their in-house security team to carry out an assessment

80% admit that their in-house security team is rarely or never involved in the selection of s CSP

49% are not confident that their organisation knows all the cloud services that are deployed.

Review specific information security governance structure and processes, as well as specific security controls, as part of due diligence when selecting cloud service providers

Incorporate collaborative governance structures and processes between the business and the provider into service agreements

Engage their Security SMEs when discussing SLAs and contractual obligations, to ensure that security requirements are contractually enforceable.

Understand how current security metrics will change when moving to the cloud.

Include security metrics and standards (particularly legal and compliance requirements) in any Service Level Agreements and contracts.

Security SMEs will help to bring this about, when we can present a clear and unambiguous explanation to the business as to how the balance of risks and controls is altered in e Public Cloud and how this needs to translate to more sophisticated shared governance. this in turns requires that we have a precise definition of what Cloud is and a robust baseline of cloud security knowledge. The Cloud Security Alliance has introduced the Certificate of Cloud Security Knowledge (CCSK) to address this latter issue. This certification is not designed to replace existing well-established schemes, such as CISSP, CISM and CISA, but rather to demonstrate competence in the specific security challenges of Cloud deployments, by testing an understanding of two significant and authoritative documents:

The CCSK is strongly supported by a broad coalition of experts and organizations from around the world. The collaboration with ENISA means that the world’s two leading organizations for vendor neutral cloud security research are providing the foundation for the industry’s first cloud security certification. CSA’s breadth of industry participation and strategic alliances are being leveraged to communicate the need and value of this certification to employers within cloud providers, cloud consumers, consultants and variety of other stakeholders. I’ll nail my colours to the mast here and commit to sitting the CCSK exam before the end of this year. How about you?

A few days ago, I was invited to IBM South Bank for a workshop on Identity and Access Management (IAM) Governance. The workshop was timed to coincide with the launch of the latest release of Tivoli Identity Manager (v5.1). IBM’s press release describes the new features in TIM v5.1, but I’ll summarise them here:

Role management capabilities The latest version of TIM allows the definition of (optionally nested) roles. Roles are not used to manage user access to resources, but rather provide a structure through which to do it more efficiently.

Separation of duty capabilities
Separation of duty is a policy-driven feature to manage potential or existing role conflicts. A separation of duty policy is a logical container of separation rules that define mutually exclusive relationships among roles. Separation of duty policies are defined by one or more business rules that exclude users from membership in multiple roles that might present a business conflict.

User recertification
TIM provides a process to periodically certify and validate a user’s access to IT resources, combines recertification of a user’s accounts, group memberships of accounts, and role memberships into a single activity.

Group management capabilities
TIM now allows the creation of groups of users, to help with automation of identity management processes.

Tivoli Common Reporting
TIM’s reporting capabilities have been migrated to IBM Tivoli Common Reporting. This component is based on the Eclipse Business Intelligence Reporting Tool and provides custom report authoring, report distribution, report scheduling capabilities, and the ability to run and manage reports from multiple IBM Tivoli products.

New APIsAdditional APIs, workflow extensions and Javascript functions are provided to support the new functionality of this release.

The theme for the day was IAM Governance and in IBM’s view “Tivoli Identity Manager delivers important functionality for identity and access management governance”. The new features support governance, by enforcing compliance through product policies (as opposed to technical policies – see Earl Perkins’ blog for more details) and by allowing reconciliation between the policy-based view of user entitlements, stored in TIM’s directory and the reality, defined on the managed platforms and applications. While regulatory mandates don’t demand the use of roles (though corporate policy might) they do offer a simplified abstraction, through which access can be governed. At the risk of being pedantic, I’d call this compliance, rather than governance, but it’s all down to your own definition.

Uniquely among the major IAM vendors, IBM chose not to acquire a niche role management vendor to add this capability and instead developed the capability in-house, as an integral part of their identity management platform. This has the positive effect of avoiding the inevitable difficulties of bringing together two distinct (and often conflicting) technology platforms and development teams. Sun, Oracle and CA are all working through these issues currently, following their acquisitions of VAAU, Bridgestream and Eurekify respectively. On the negative side, it means that role management in TIM is a “work in progress”. However, I’m assured that IBM plan to release further functionality in this area, during the 2nd half of 2009.

What would I like to see added to the role management capability? I think that a function to help with the discovery and mining of roles from existing entitlement data would speed up the creation and deployment of an initial enterprise role structure. I have to declare an interest here. As a consultant, who specialises in the organisational change required for IAM programmes, I strongly favour the ability to run the role mining and discovery effort without the need to deploy the identity management infrastructure and connectors. Once an initial enterprise model is complete (and agreed) then it can be imported into the identity management system, where it should become subject to life cycle management, with TIM providing recertification and approval for changes to role definitions. This approach is elegantly illustrated by CA’s deployment architecture for Eurekify. So, if I had a vote, I’d say integrate role life cycle management into TIM and leave role mining as a stand-alone tool.

My final thought relates to Governance, Risk and Compliance. The objective must be to take result from computerised controls (such as TIM) and use those results to update an overall picture of the organisation’s risk exposure. This is the job of a GRC Management platform. In the final session of the South Bank workshop, IBM showed how TIM can be used in conjunction with Tivoli Compliance Insight Manager. This closed loop integration between security event management and identity and access management allows administrators to compare real user behaviour with desired behaviour, exactly as an auditor would. TCIM can provide a graphical representation of the information, along the lines of a heat map. IBM partner with niche vendors, such as Sailpoint and Aveksa, to deliver a complete IAM Governance solution. Personally, I’d love to see the TIM and TCIM products integrated with (for example) the excellent STREAM integrated risk and assurance management platform from Acuity.

By way of a conclusion, this latest release of TIM continues to address the use cases needed by IAM professional and does it with the benefit of a simple and consistent user interface and a simple trouble-free install process. If there’s a downside, then it’s that TIM is a monolithic application, limiting the ability of an organisation to pick the parts they need to start with. Having said that, organisations can readily deploy the application and utilise initially (say) reconciliation, recertification or compliance reporting, without needing to design and implement the heavyweight user provisioning and role management functions.

Disclosure

Readers may notice from my profile that I’m currently employed as a Senior Managing Consultant in IBM’s Global Business Services. However, at the time of writing this article, I was an independent consultant, with no commercial relationship with IBM.